IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

OAuth: Add support for empty scopes (#32129)

Browse Source 
* add parameter empty_scopes to override scope parameter with empty value and thus be able to authenticate against IdPs without scopes. Issue #27503

Update docs/sources/auth/generic-oauth.md

Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>

* updated check according to feedback

* Update generic-oauth.md

Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
This commit is contained in:
jvoeller 2021-05-10 19:07:30 +02:00 committed by GitHub
parent c610eff5cd
commit 0d044285a9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
conf/defaults.ini
View File

@ -474,6 +474,7 @@ allow_sign_up = true
client_id = some_id client_id = some_id
client_secret = client_secret =
scopes = user:email scopes = user:email
empty_scopes = false
email_attribute_name = email:primary email_attribute_name = email:primary
email_attribute_path = email_attribute_path =
login_attribute_path = login_attribute_path =

1
conf/sample.ini
View File

@ -465,6 +465,7 @@
;client_id = some_id ;client_id = some_id
;client_secret = some_secret ;client_secret = some_secret
;scopes = user:email,read:org ;scopes = user:email,read:org
;empty_scopes = false
;email_attribute_name = email:primary ;email_attribute_name = email:primary
;email_attribute_path = ;email_attribute_path =
;login_attribute_path = ;login_attribute_path =

3
docs/sources/auth/generic-oauth.md
View File

@ -29,6 +29,7 @@ enabled = true
client_id = YOUR_APP_CLIENT_ID client_id = YOUR_APP_CLIENT_ID
client_secret = YOUR_APP_CLIENT_SECRET client_secret = YOUR_APP_CLIENT_SECRET
scopes = scopes =
empty_scopes = false
auth_url = auth_url =
token_url = token_url =
api_url = api_url =
@ -49,6 +50,8 @@ You can also specify the SSL/TLS configuration used by the client.
`tls_skip_verify_insecure` controls whether a client verifies the server's certificate chain and host name. If it is true, then SSL/TLS accepts any certificate presented by the server and any host name in that certificate. _You should only use this for testing_, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks. `tls_skip_verify_insecure` controls whether a client verifies the server's certificate chain and host name. If it is true, then SSL/TLS accepts any certificate presented by the server and any host name in that certificate. _You should only use this for testing_, because this mode leaves SSL/TLS susceptible to man-in-the-middle attacks.
Set `empty_scopes` to true to use an empty scope during authentication. By default, Grafana will use `user:email` as scope.
Grafana will attempt to determine the user's e-mail address by querying the OAuth provider as described below in the following order until an e-mail address is found: Grafana will attempt to determine the user's e-mail address by querying the OAuth provider as described below in the following order until an e-mail address is found:
1. Check for the presence of an e-mail address via the `email` field encoded in the OAuth `id_token` parameter. 1. Check for the presence of an e-mail address via the `email` field encoded in the OAuth `id_token` parameter.

6
pkg/login/social/social.go
View File

@ -85,6 +85,7 @@ func NewOAuthService() {
for _, name := range allOauthes { for _, name := range allOauthes {
sec := setting.Raw.Section("auth." + name) sec := setting.Raw.Section("auth." + name)
info := &setting.OAuthInfo{ info := &setting.OAuthInfo{
ClientId: sec.Key("client_id").String(), ClientId: sec.Key("client_id").String(),
ClientSecret: sec.Key("client_secret").String(), ClientSecret: sec.Key("client_secret").String(),
@ -107,6 +108,11 @@ func NewOAuthService() {
TlsSkipVerify: sec.Key("tls_skip_verify_insecure").MustBool(), TlsSkipVerify: sec.Key("tls_skip_verify_insecure").MustBool(),
} }
// when empty_scopes parameter exists and is true, overwrite scope with empty value
if sec.Key("empty_scopes").MustBool() {
info.Scopes = []string{}
}
if !info.Enabled { if !info.Enabled {
continue continue
} }